[Web] Brute Forcer v1.1[Web] Brute Forcer v1.1
[ Capabilities ]
[+] Brute method POST
[+] Brut with the GET method
[+] Brute Basic-Authorization (by the HEAD method)
[+] Brut FTP
[+] Multithreading (1 ~ 1000 threads)
[+] Ability to set additional Request (GET / POST) variables.
[+] Ability to install cookies.
[+] Brute using proxy (built-in proxy rotator with auto-check function and customizable autoswitch)
[+] 3 attack modes:
- Attack 1 login
- Attack of several logins
- Attack on 1 password
[+] Built-in plain HTML browser with highlighting of input tags and showing headers received from the site.
[+] Dictionary manager (Generation, splicing, breakdown)
- The program requires .NET Framework> 2.0
- Settings are stored in the Config.xml file
- You can delete saved items from ComboBox by pressing Ctrl + Delete.
- When running with the / oldstyle key, the program will have an old style of design.
- When you change the tab'a GUI a little podtormazhivaet.
- Try not to use Cyrillic characters in the indicator (because some sites send the wrong encoding in the header). - The program is still raw, so I hope for your advice / found glitches.
[Manual for beginners]
You must transfer the data from the web form to the program.
To do this, open the page sort and find the <form> tag (there may be several of these tags, so you need to make sure that this is the form.).
1. In this <form> tag, look for the action attribute. This is the destination URL . If there is no such attribute, copy the URL of the page we opened. Also there is a method attribute. If it is POST , then we set the Protocol / Attack Method to HTTP-POST , if GET is HTTP-GET . (Note that all GET transitions are stored in the server's logs, so the fact of brutus is likely to be quickly recognized by the growing size of the logs.)
2. Then inside our <form> tag we search for the <input> tags (there is a highlight in the Browser). These are the so-called fields. We need to get the fields of identifiers, that is, the fields in which the username and password are sent when sent to the server.
We are looking for the name attribute in the <input> tag. If its contents are similar to login , nickname , username, and so on. (I think the essence is understood), then this is the field of the login. Copy the name attribute in the " Login" field of our program.
Similarly we enter the "password" field (it will probably have the name pass , password , pwd , etc.).
You also need to transfer additional fields ( name and value attributes) to the Additional request-variables section.
If there is an <input> in the <form> tag with the type type = "submit" , then this is the login button. We transfer its attributes to the program in the section " Attributes of Submit-Buttons ".
If any <input> tag does not have the name attribute, then it does not interest us.
3. Then you need to set a text indicator for the successful login .
This is an important parameter and for each site it is different. For this indicator, the program will decide whether or not a successful login has occurred. That is, if the specified text is missing / present in the source page of the page, then the login is considered successful.
As an indicator, you can use the code fragment of the form (as it will certainly not be present in the page if you successfully try), or if you have an account on the site being attacked, use a code snippet that is uniquely present in the page if the attempt is successful (for example, the code for the "Exit" button " from the site).
4. Then, if necessary, set the Cookies . What is this - read in Wikipedia. Copy them from the browser to the program.
To be faithful, you must first completely clear the cookies of the attacked site, then go to it, and then copy it. Usually, Cookies checks are conducted by the site in order to make sure that you are not a robot.
5. As for the type of bust , I think everything is clear.
If you need to select 1 account, enter your login and specify a file with passwords .
If there are more than one account , you need a file in which the username and password are separated by a separator , for example:
With an attack on 1 password, I think it's up to you to figure it out.
If you have a working account on the site being attacked, do not be lazy - be sure to test the program on it.
A clear indicator that the program is not set up correctly is the situation when all attempts are correct (the results are shown in the field of the program log). If this occurs, recheck the parameters.
[Example of setting for brut mail.ru]
As they say, "they do not go skiing, I'm ash ..."
PS. in cookies - variables received automatically when visiting mail.ru. As I found out, the values of these fields can be any, since when you login, they are checked for their existence, not the contents.
[Web] Brute Forcer v1.1
webbruteforcer.zip [50 kb]